As the maintainer of Service Accounts for a Logistics application spread across multiple projects, you need to enable VMs in the web-applications project to access activity data stored in a BigQuery dataset within the em-databases-app project. According to Google's recommended practices, how should you configure access for the service accounts?